Cyber risk has outgrown the security function.
CISOs are accountable for outcomes they can’t fully control. The behaviors driving human risk happen everywhere: in HR, in finance, in the C-suite. The CISO can build the program, but when a CFO approves a wire transfer without questioning urgency, or a developer pastes proprietary code into an unvetted AI tool, the CISO bears the fallout of decisions they had no seat at the table for.
Accountability structures haven’t caught up to the threat reality.
For years, “human risk” was treated as a training problem centered on phishing clicks and weak passwords. But human risk is neither evenly distributed nor isolated to awareness gaps. According to research, just 10% of users account for 73% of organizational risk. Human-initiated incidents also remain the leading driver of breaches, accounting for 74% of all incidents. And with AI embedded into enterprise workflows, the consequences of a single human error can escalate faster than most organizations are structured to contain.
That shift makes the human element an organizational design problem.
The Human Element Is a Systems Challenge
Human risk…
